[dns-operations] dns-operations Digest, Vol 92, Issue 13
Vernon Schryver
vjs at rhyolite.com
Mon Sep 9 14:59:30 UTC 2013
> Now we (including me) have known the dangers and limitations,
> so should we set max-udp-size to 1220 on every authoritative servers?
Sometimes crazy conspiracy theories make too much sense. Please
make up one of your own from some facts:
- Some known major PKI failures were ostensibly in support of
nation states. Remember Comodo and DigiNotar
- Nation states hate encryption and do whatever they can against
it, from trying to outlaw it (e.g. pgp in the U.S.) to trying to
legislate weak keys or backdoors in encryption systems
(e.g. Clipper, also in the U.S.)
- DANE and TLSA cannot offer perfect security (nothing can), but would
significantly improve the PKI and complicate the work of government
snoops and censors.
- DANE and TLSA depend on DNSSEC.
- http://www.postfix.org/TLS_README.html#client_tls_dane
- a quick sample of DNSEC A answers finds them all larger than 1220 bytes
- switching the DNS from UDP to TCP would fail because of TCP
costs including 3 times as many packets, server state, and
even time wait exhaustion
- DNS reflection DoS attacks have been used as reasons for
not supporting DNSSEC.
- this new furor over a dubious DNS security issue is being used
indirectly against DNSSEC
- http://scoreboard.verisignlabs.com/
http://scoreboard.verisignlabs.com/percent-trace.png
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations
mailing list